SlideShare a Scribd company logo

Formula Injection by Chirag Savla

N
nullowaspmumbai

Formula Injection by Chirag Savla Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. The resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user-supplied addresses. Once injected, it affects application end-users that access the application exported spreadsheet files. Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data

Technology
1 of 10
Download to read offline
• Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. • Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. • Thus resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user- supplied addresses. Once injected, it affects application end-users that access the application exported spreadsheet files. • Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data.
• When can some one exploit Formula / CSV Injection ? Formula Injection can be exploited when the application has export to excel functionality. happens on spreadsheet files which are dynamically constructed from inadequately validated input data • What can be done using Formula / CSV Injection ? Successful execution can help attacker to carry out client-sided command inject, remote code execution or can download some malware on the system.
• What are the payload used to test / exploit Formula / CSV Injection ? Any excel formula can be used to test formula injection. Eg:- =sum(10+10) • What else can be used to exploit Formula / CSV Injection ? 1) Macros 2) PowerShell
• Different ways of writing formula in excel We can write formula in excel starting with 1) = 2) + 3) - 4) @
• Making the Payload a Success on different platforms (Advance Payload) The formula injection flaw occurs due to the concept of Dynamic Data Exchange (DDE). DDE is a protocol for interprocess communication under Windows supported by Microsoft Excel, LibreOffice and Apache OpenOffice. In Libreoffice and Apache Openoffice, it can be invoked using the following formula: =DDE(server; file; item; mode) Example: this one launches calc.exe =DDE("cmd";"/C calc";"__DdeLink_60_870516294") In Microsoft Excel it can be invoked using: =cmd|'/C calc.exe'!Z0
• Preventing formula injection is the concern for every application that generates spreadsheets comprising user-supplied content. • At present, the best defence strategy is prefixing cells that start with ‘=’ and ‘+’ with an apostrophe or a Space. This will ensure that the cell isn’t interpreted as a formula. • As an added advantage Microsoft Excel the apostrophe itself will not be displayed. • HTMLEncoding for special characters can be used as prevention. • Input validation for = or + characters can be put in place on client and server side.
• https://pentestmag.com/formula-injection/ • http://www.contextis.com/resources/blog/comma-separated- vulnerabilities/ • https://appsec-labs.com/portal/formula-injection/
Formula Injection by Chirag Savla

Recommended

Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting SafariJanie Clayton
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Xxe
XxeXxe
Xxenullowaspmumbai
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Radio hacking - Part 1
Radio hacking - Part 1 Radio hacking - Part 1
Radio hacking - Part 1 nullowaspmumbai
 
How I got my First CVE
How I got my First CVE How I got my First CVE
How I got my First CVE nullowaspmumbai
 
Power forensics
Power forensicsPower forensics
Power forensicsnullowaspmumbai
 

Recommended

Bug Hunting Safari
Bug Hunting SafariBug Hunting Safari
Bug Hunting SafariJanie Clayton
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Xxe
XxeXxe
Xxenullowaspmumbai
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Radio hacking - Part 1
Radio hacking - Part 1 Radio hacking - Part 1
Radio hacking - Part 1 nullowaspmumbai
 
How I got my First CVE
How I got my First CVE How I got my First CVE
How I got my First CVE nullowaspmumbai
 
Power forensics
Power forensicsPower forensics
Power forensicsnullowaspmumbai
 
Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hackingnullowaspmumbai
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniquesnullowaspmumbai
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cvenullowaspmumbai
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updatednullowaspmumbai
 
Commix
Commix Commix
Commix nullowaspmumbai
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning nullowaspmumbai
 
Dll Hijacking
Dll Hijacking Dll Hijacking
Dll Hijacking nullowaspmumbai
 
Abusing Target
Abusing Target Abusing Target
Abusing Target nullowaspmumbai
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics nullowaspmumbai
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hackingnullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Null mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya JamkhandeNull mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya Jamkhandenullowaspmumbai
 
Null mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul TulaskarNull mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul Tulaskarnullowaspmumbai
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
 
Null Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal ShahNull Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal Shahnullowaspmumbai
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

More Related Content

More from nullowaspmumbai

Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management nullowaspmumbai
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniquesnullowaspmumbai
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updatednullowaspmumbai
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning nullowaspmumbai
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Null mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya JamkhandeNull mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya Jamkhandenullowaspmumbai
 
Null mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul TulaskarNull mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul Tulaskarnullowaspmumbai
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
 
Null Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal ShahNull Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal Shahnullowaspmumbai
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
 

More from nullowaspmumbai (20)

Infrastructure security & Incident Management
Infrastructure security & Incident Management Infrastructure security & Incident Management
Infrastructure security & Incident Management
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Internet censorship circumvention techniques
Internet censorship circumvention techniquesInternet censorship circumvention techniques
Internet censorship circumvention techniques
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cve
 
Adversarial machine learning updated
Adversarial machine learning updatedAdversarial machine learning updated
Adversarial machine learning updated
 
Commix
Commix Commix
Commix
 
Adversarial machine learning
Adversarial machine learning Adversarial machine learning
Adversarial machine learning
 
Dll Hijacking
Dll Hijacking Dll Hijacking
Dll Hijacking
 
Abusing Target
Abusing Target Abusing Target
Abusing Target
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Middleware hacking
Middleware hackingMiddleware hacking
Middleware hacking
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Null mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya JamkhandeNull mumbai Session on ransomware by_Aditya Jamkhande
Null mumbai Session on ransomware by_Aditya Jamkhande
 
Null mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul TulaskarNull mumbai news bytes by Rahul Tulaskar
Null mumbai news bytes by Rahul Tulaskar
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
 
Null Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal ShahNull Mumbai 14th May News bytes by Dhawal Shah
Null Mumbai 14th May News bytes by Dhawal Shah
 
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad SarangNull Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Formula Injection by Chirag Savla

  • 1.
  • 2. • Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. • Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. • Thus resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user- supplied addresses. Once injected, it affects application end-users that access the application exported spreadsheet files. • Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data.
  • 3. • When can some one exploit Formula / CSV Injection ? Formula Injection can be exploited when the application has export to excel functionality. happens on spreadsheet files which are dynamically constructed from inadequately validated input data • What can be done using Formula / CSV Injection ? Successful execution can help attacker to carry out client-sided command inject, remote code execution or can download some malware on the system.
  • 4. • What are the payload used to test / exploit Formula / CSV Injection ? Any excel formula can be used to test formula injection. Eg:- =sum(10+10) • What else can be used to exploit Formula / CSV Injection ? 1) Macros 2) PowerShell
  • 5. • Different ways of writing formula in excel We can write formula in excel starting with 1) = 2) + 3) - 4) @
  • 6. • Making the Payload a Success on different platforms (Advance Payload) The formula injection flaw occurs due to the concept of Dynamic Data Exchange (DDE). DDE is a protocol for interprocess communication under Windows supported by Microsoft Excel, LibreOffice and Apache OpenOffice. In Libreoffice and Apache Openoffice, it can be invoked using the following formula: =DDE(server; file; item; mode) Example: this one launches calc.exe =DDE("cmd";"/C calc";"__DdeLink_60_870516294") In Microsoft Excel it can be invoked using: =cmd|'/C calc.exe'!Z0
  • 7.
  • 8. • Preventing formula injection is the concern for every application that generates spreadsheets comprising user-supplied content. • At present, the best defence strategy is prefixing cells that start with ‘=’ and ‘+’ with an apostrophe or a Space. This will ensure that the cell isn’t interpreted as a formula. • As an added advantage Microsoft Excel the apostrophe itself will not be displayed. • HTMLEncoding for special characters can be used as prevention. • Input validation for = or + characters can be put in place on client and server side.